rmaucher commented on PR #888:
URL: https://github.com/apache/tomcat/pull/888#issuecomment-3253281669
I cleaned it up a little, and verified it works (well, since mod_ssl does it
...). The change is not very intrusive overall. This still feels like a
temporary solution at the moment though.
About the client hello processing: Tomcat does it in TLSClientHelloExtractor.
I skipped adding the specific certificate type at the moment since it's also
a bit useless.
The config looks like (using DSA as a placeholder for "non RSA", and with
TLS 1.3 being enabled by default - it could be reasonable to restrict this to a
TLS 1.3 only SSLHostConfig):
<Connector port="8454" protocol="HTTP/1.1"
SSLEnabled="true" scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate
certificateFile="${catalina.home}/conf/localhost-mldsa.crt"
certificateKeyFile="${catalina.home}/conf/localhost-mldsa.key"
type="DSA" />
<Certificate
certificateFile="${catalina.home}/conf/localhost-rsa.crt"
certificateKeyFile="${catalina.home}/conf/localhost-rsa.key"
type="RSA" />
</SSLHostConfig>
</Connector>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
